netplus.ch SA

Description

netplus.ch SA is a service company specialising in the field of telecommunications. The 100% French-speaking area multimedia operator provides more than 220,000 users with high-quality local Internet, telephony, and television services both in towns and rural areas. The company incorporates eleven networks marketing more than 460,000 multimedia services intended for both private and professional customers under the BLI BLA BLO and net+ brand names.

The bug bounty program netplus.ch SA is part of the higher-level bug bounty program of SUISSEDIGITAL association. SUISSEDIGITAL is the trade association of Swiss communication networks. Bringing together some 200 commercial and public sector companies from all over Switzerland and the Principality of Liechtenstein, the association's high-performance networks allow each of its members to act as a one-stop shop offering their customers leading-edge communication services. These services include broadband internet, landline and to some extent mobile telephony as well as radio and television, with all the advantages of digital technology.

Rules

Higher-level rules (SUISSEDIGITAL)

The association members of SUISSEDIGITAL operate various services (platforms, services). But only services from explicitly listed domains / URLs are in the scope of the Bug Bounty Program. All other domains or explicitly listed services are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement.

Found bugs are eligible for reward only once, even if they are found at several association members (e.g. if the same software is in use). For this purpose, the association members report any vulnerabilities potentially relevant to more members to the association for distribution.

By participating in this Bug Bounty Program, Friendly Hackers undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret for 90 days after reporting it on the platform. Finally, they undertake to upload to the platform any data from customers that they have obtained as part of a bug bounty program and to delete any local copies afterwards and not to distribute them further.

Friendly Hackers commits to not using methods that have a negative impact on the tested services or their users. Among others these are:

• Social engineering
• Spamming
• Phishing
• Denial-of-service attacks or other brute force attacks
• Physical attacks

In addition to the prohibited hacking methods listed above, Friendly Hackers are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.

Qualified vulnerabilities

Any design or implementation problem can be reported that is reproducible and affects security.

Typical examples:

• Cross Site Request Forgery (CSRF)
• Cross Site Scripting (XSS)
• Insecure Direct Object Reference
• Remote Code Execution (RCE) - Injection Flaws
• Information Leakage an Improper Error Handling
• Unauthorized access to properties or accounts

Other examples:

• Data/information leaks
• Possibility of data/information exfiltration
• Backdoors that can be actively exploited
• Potential for unauthorized system use
• Misconfigurations

Non-qualified vulnerabilities

The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:

• Attacks that require physical access to a user's device or network
• Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
• Self-XSS
• The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
• Reports from automated tools or scans without explanatory documentation
• Social engineering targeting individuals or entities of the organisation
• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Bots, spam, bulk registration
• Submission of best practices that do not directly result in an exploitable vulnerability (e.g., certificate pinning, missing security headers)
• Use of vulnerable and "weak" cipher suites/ciphers
• Missing Rate limiting without further security impact

Scope

In scope:

• my.dev.netplus.ch: Portal - Customer's selfcare portal
• dev.netplus.tv: Portal - Web TV portal
• caius.dev.netplus.ch: API - Online order library (API)
• my.sweez.ch: Portal - Sweez customer's selfcare portal

Out of scope:

All other domains and subdomains (as e.g. webmail). The parental control mechanism is out of scope, as not designed to be hacker proof.

Following endpoints are out of scope:

• https://viamotion.netplus.ch/vod/data_nfs/archived/hospitality_video/{ID}/_/box-dash/{ID}.mpd
• https://viamotionhsi.netplus.ch/vod/data_nfs/archived/hospitality_video/{ID}/_/box-dash/{ID}.mpd

Procedure

• Register / Login to GBF
• Start looking for vulnerabilities, respecting the definitions in this program (scope, rules, ...).
• Report found vulnerabilities and support the platform and the customer in verifying them.
• Get paid for confirmed, new vulnerabilities.

Legal

The organisation gives their approval for Friendly Hackers to use hacking methods based on the specified bug bounty program. Due to this consent, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the Friendly Hackers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.

Bounty Levels